Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of preventing time of check to time of use exploits, the method comprising: receiving a system call from a user space at a system call intercept; copying user space parameters from the user space to a kernel space responsive to the system call; initiating a service thread within the kernel space, wherein the service thread is operable to create a secure location in the user space and pass an offset indicative of a location of the secure location to the system call interrupt; copying the user space parameters from the kernel space to the secure location in the user space, wherein the service thread that creates and manages the secure location is contained in a trusted daemon; receiving the user space parameters from the secure location at the system call intercept, wherein receiving the user space parameters from the secure location comprises receiving at least one pointer directed to the secure location; determining whether the secure location is mapped to the system call; and mapping the secure location into an address space of a process making the system call based on the determination; executing the system call based on the received user space parameters; and notifying the service thread based on execution of the system call, wherein the secure location is closed to all requests after the user space parameters are copied to the secure location and until the service thread is notified of system call execution.
2. The method of claim 1 , wherein the secure location in the user space is a shared memory location.
3. The method of claim 1 , wherein the secure location in the user space is a memory location whose access privileges are held only by kernel space entities or kernel space processes.
4. The method of claim 1 , wherein the secure location in the user space is not accessible by user space entities or user space processes.
5. The method of claim 1 , wherein the secure location in the user space is not persisted.
6. The method of claim 1 , further comprising removing a copy of the user space parameters from the kernel space in response to copying the user space parameters from the kernel space to the secure location in the user space.
7. The method of claim 1 , wherein the service thread provides the user space parameters from the secure location to the system call intercept.
8. The method of claim 1 , wherein the user space parameters are provided from the secure location to the system call intercept in response to a direct request from one of the system call intercept or the trusted daemon.
9. The method of claim 1 , wherein the secure location is closed prior to execution of the system call, and wherein the secure location is open for further use by a next system call following execution of the system call.
10. A computer program product comprising a computer readable storage medium having a computer readable program recorded thereon, wherein the computer readable program, when executed on a computing device, causes the computing device to: receive a system call from a user space at a system call intercept; copy user space parameters from the user space to a kernel space responsive to the system call; initiate a service thread within the kernel space, wherein the service thread is operable to create a secure location in the user space and pass an offset indicative of a location of the secure location to the system call interrupt; copy the user space parameters from the kernel space to the secure location in the user space, wherein the service thread that creates and manages the secure location is contained in a trusted daemon; receive the user space parameters from the secure location at the system call intercept, wherein receiving the user space parameters from the secure location comprises receiving at least one pointer directed to the secure location; determine whether the secure location is mapped to the system call; and map the secure location into an address space of a process making the system call based on the determination; execute the system call based on the received user space parameters; and notify the service thread based on execution of the system call, wherein the secure location is closed to all requests after the user space parameters are copied to the secure location and until the service thread is notified of system call execution.
11. The computer program product of claim 10 , wherein the secure location in the user space is a shared memory location.
12. The computer program product of claim 10 , wherein the secure location in the user space is a memory location whose access privileges are held only by kernel space entities or kernel space processes.
13. The computer program product of claim 10 , wherein the secure location in the user space is not accessible by user space entities or user space processes.
14. The computer program product of claim 10 , wherein the secure location in the user space is not persisted.
15. The computer program product of claim 10 , wherein the computer readable program further causes the computing device to remove a copy of the user space parameters from the kernel space in response to copying the user space parameters from the kernel space to the secure location in the user space.
16. The computer program product of claim 10 , wherein the service thread provides the user space parameters from the secure location to the system call intercept.
17. The computer program product of claim 10 , wherein the user space parameters are provided from the secure location to the system call intercept in response to a direct request from one of the system call intercept or the trusted daemon.
18. The computer program product of claim 10 , wherein the secure location is closed prior to execution of the system call, and wherein the secure location is open for further use by a next system call following execution of the system call.
19. An apparatus, comprising: a processor; and a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to: receive a system call from a user space at a system call intercept; copy user space parameters from the user space to a kernel space responsive to the system call; initiate a service thread within the kernel space, wherein the service thread is operable to create a secure location in the user space and pass an offset indicative of a location of the secure location to the system call interrupt; copy the user space parameters from the kernel space to the secure location in the user space, wherein the service thread that creates and manages the secure location is contained in a trusted daemon; receive the user space parameters from the secure location at the system call intercept, wherein receiving the user space parameters from the secure location comprises receiving at least one pointer directed to the secure location; determine whether the secure location is mapped to the system call; and map the secure location into an address space of a process making the system call based on the determination; execute the system call based on the received user space parameters; and notify the service thread based on execution of the system call, wherein the secure location is closed to all requests after the user space parameters are copied to the secure location and until the service thread is notified of system call execution.
20. The apparatus of claim 19 , wherein the secure location in the user space is a memory location whose access privileges are held only by kernel space entities or kernel space processes.
Unknown
February 2, 2010
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.